Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'. I ran this on each server: ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict
And now to make things interesting, this query has different results on each server. Server #1: # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per missions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com nsds5ReplConflict: namingConflict cn=System: Modify Certificate Profile,cn=per missions,cn=pbac,dc=aws,dc=cappex,dc=com Server #2: # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap pex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=CA Administrator,cn=privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per missions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per missions,cn=pbac,dc=aws,dc=cappex,dc=com Server #3: # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap pex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com I realize that this is a horrible state of replication. My question is, what happens if I modify or delete an entry on one server that doesn't exist on another? Thanks. -John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
